- Joined
- Feb 4, 2024
Space Station 13 and Its successors communities - Lolcows and milk... In spess
- Thread starter Darkholme's Dungeon
- Start date
- Joined
- Dec 12, 2022
welcome to citadel station
go fund me
link archive
Back in January 2026, our close friend Jay fell into financial trouble after a tough breakup. Our community has been doing our best to help emotionally, and directly donating to help pay for power, phone, rent, and car payments. During this time, they got laid off from their job, and on March 10th started having severe gastrointestinal health issues.
Thankfully they got hired on a new job, but still has trouble catching up on expenses.
I received permission to start a fundraiser to keep track of how much we've donated and enable others outside our community to help get Jay back on their feet.
This fundraiser's goal is to help Jay pay their expenses for April until they have a job (either current or a new one) which is self-sustaining.
All donations will go directly to the beneficiary, Jay, who is exceedingly thankful for everyone who's helped these past three months. Any donation amount is worthwhile. Our goal can be partially met and still succeed in providing a buffer for Jay's expenses.
Stretch Goals
Ever since they turned 18, Jay has been employed in various positions, such as 5 years as a contractor Telecommunications Lineman, installing high-speed internet and maintaining home connections. With their four cats, they live together with a roommate in a single family home. Jay enjoys hobbies such as PC and VR games, digital art, photography, and cosplaying at conventions. Our community was founded by them in April, 2014 and our Discord was created in 2016, so we've been together with Jay for 12 years.
Special Thanks
Before this fundraiser began, members of our community personally contributed to Jay's urgent needs. Thank you to everyone who has supported our friend or been helpful to them in any way, words cannot express my gratitude for even the smallest kindness.
Donors
Anonymous
Na'ly KalZul (Steve Digson, the miner who is useful sometimes) - $161
Sentre (Krickichee)
Kouta - $50
Anonymous - $85
Subtumaka
Updates
New Goal & Job Opportunity
Jay got a call back from the phone company today, which could be better paying, is closer to home, and is a preferred line of work in telecommunications. However, the bank called shortly after, they're too far behind from the last vehicle payment, and has until March 31st to come up with $468. Jay needs a car for his current work, and a potential better job, so we have a new stretch goal to meet this need. Which I am confident we can pull off, either on GoFundMe or by directly donating to Jay.
So far we've raised $251, Jay has access to $173.32 (because GoFundMe takes a few days to transfer) which Jay can decide how use for food, gas, rent, or re-allocate to contribute to the truck payment.
Three Stretch Goals Complete
We have raised $90 so far on GoFundMe, and $161 on other platforms, covering gas and food for one week and Jay's rent (he splits with a roommate) for one month, completing three of our stretch goals.
Jay is a donor of SaveAFox, a fox rescue sanctuary created by the late Mikayla Raines (which I high recommend you check out at https://www.saveafox.org/)
Fundraiser Announced!
Our host of the Discord server supported us starting a fundraiser for Jay, so we publicly shared the GoFundMe link in the Announcements channel.
For a while Jay was unable to do DoorDash due to too many drivers, but they received an email recently allowing them to be a delivery driver. Since he was low on gas tonight while working, I donated $50 for a starter donation, reaching our first stretch goal.
Our top priority goal is $350 so Jay can feel confident about visiting a doctor to learn about their sickness. We cannot say for certain what is wrong without in-person diagnosis. A loss of employer insurance coupled with high US medical costs made them hesitant, but we hope with your support we can take a step to improve Jay's health by helping pay for their doctor's visit, which will be this week.
After the initial doctor's visit for a diagnosis, we plan to sign up with an affordable health insurance provider in case of follow-up visits.
go fund me
link archive
Back in January 2026, our close friend Jay fell into financial trouble after a tough breakup. Our community has been doing our best to help emotionally, and directly donating to help pay for power, phone, rent, and car payments. During this time, they got laid off from their job, and on March 10th started having severe gastrointestinal health issues.
Thankfully they got hired on a new job, but still has trouble catching up on expenses.
I received permission to start a fundraiser to keep track of how much we've donated and enable others outside our community to help get Jay back on their feet.
This fundraiser's goal is to help Jay pay their expenses for April until they have a job (either current or a new one) which is self-sustaining.
All donations will go directly to the beneficiary, Jay, who is exceedingly thankful for everyone who's helped these past three months. Any donation amount is worthwhile. Our goal can be partially met and still succeed in providing a buffer for Jay's expenses.
Stretch Goals
- $50 - 1 Full Tank of Gas ✓
- $50 - 1 Week of Groceries ✓
- $150 - Rent ✓
- $350 - Doctor's Visit
- $400 - Power Bill
- $468 - Truck Overdue Fees
- $740 - Truck Mortgage
- $2216 - Current Power Bill
Ever since they turned 18, Jay has been employed in various positions, such as 5 years as a contractor Telecommunications Lineman, installing high-speed internet and maintaining home connections. With their four cats, they live together with a roommate in a single family home. Jay enjoys hobbies such as PC and VR games, digital art, photography, and cosplaying at conventions. Our community was founded by them in April, 2014 and our Discord was created in 2016, so we've been together with Jay for 12 years.
Special Thanks
Before this fundraiser began, members of our community personally contributed to Jay's urgent needs. Thank you to everyone who has supported our friend or been helpful to them in any way, words cannot express my gratitude for even the smallest kindness.
Donors
Anonymous
Na'ly KalZul (Steve Digson, the miner who is useful sometimes) - $161
Sentre (Krickichee)
Kouta - $50
Anonymous - $85
Subtumaka
Updates
New Goal & Job Opportunity
Jay got a call back from the phone company today, which could be better paying, is closer to home, and is a preferred line of work in telecommunications. However, the bank called shortly after, they're too far behind from the last vehicle payment, and has until March 31st to come up with $468. Jay needs a car for his current work, and a potential better job, so we have a new stretch goal to meet this need. Which I am confident we can pull off, either on GoFundMe or by directly donating to Jay.
So far we've raised $251, Jay has access to $173.32 (because GoFundMe takes a few days to transfer) which Jay can decide how use for food, gas, rent, or re-allocate to contribute to the truck payment.
Three Stretch Goals Complete
We have raised $90 so far on GoFundMe, and $161 on other platforms, covering gas and food for one week and Jay's rent (he splits with a roommate) for one month, completing three of our stretch goals.
Jay is a donor of SaveAFox, a fox rescue sanctuary created by the late Mikayla Raines (which I high recommend you check out at https://www.saveafox.org/)
Fundraiser Announced!
Our host of the Discord server supported us starting a fundraiser for Jay, so we publicly shared the GoFundMe link in the Announcements channel.
For a while Jay was unable to do DoorDash due to too many drivers, but they received an email recently allowing them to be a delivery driver. Since he was low on gas tonight while working, I donated $50 for a starter donation, reaching our first stretch goal.
Our top priority goal is $350 so Jay can feel confident about visiting a doctor to learn about their sickness. We cannot say for certain what is wrong without in-person diagnosis. A loss of employer insurance coupled with high US medical costs made them hesitant, but we hope with your support we can take a step to improve Jay's health by helping pay for their doctor's visit, which will be this week.
After the initial doctor's visit for a diagnosis, we plan to sign up with an affordable health insurance provider in case of follow-up visits.
Masturbator
kiwifarms.net
- Joined
- Dec 31, 2023
to no one's surprize the furfag's response to financial trouble is to prostitute himself and set up a gibsmedat page
- Joined
- Apr 22, 2022
My friend really likes the game and he really likes ratwood but hates the erp side of things and basically tried to ignore it. He's talked about starting a server that's just the same game but without any erp.
Any clue how you would even do this without being a programmer or having lots of tech experience.
He's basically a military grunt that can barely mod Skyrim without getting confused.
I'm worried that space thirteen is so technically complex and unique that only tranny's make it anymore and so all the servers are gay and retarded and for gooners.
Any clue how you would even do this without being a programmer or having lots of tech experience.
He's basically a military grunt that can barely mod Skyrim without getting confused.
I'm worried that space thirteen is so technically complex and unique that only tranny's make it anymore and so all the servers are gay and retarded and for gooners.
- Joined
- Jun 5, 2025
the dumber the person is, the less likely they are to be affected by the nigger pedo horrors of ss13 community.
Launching a server is not hard (just look at monkestation and how dumb the owner is). Keeping it from turning into a erpball is. He'll probably do fine
Two Frogs
kiwifarms.net
- Joined
- Jun 24, 2025
It is trivially easy if you don't care about features, and you can literally just run it off of your own machine. There's two apps in the folder you download off of github, the "make it ready" button and the "go" button. It requires a little more technical knowhow if you want to set up a database so that you are able to ban people and stuff, but if you don't care about that and it's just you and your homies you can have 12-15 people connect without your PC shitting itself. Beyond that I haven't tested personally, but buying hosting for a tg based server is allegedly not the most difficult thing in the world and not giga expensive. If you can find someone with sysadmin skills and pay them like 20 bucks to set up heidisql and mariadb for you via remote viewer, you're covered.
I used to know a guy. RIP to him. We all took him for granted.
The technical discords for byond and tg are full of nice people who can help you as well. They really do just do it out of love so they're happy to sperg out with anyone who comes and genuinely appreciates their work.
I do not know what base ratwood is tho. Just saying about tg since I know about it.
- Joined
- May 5, 2022
Ratwood is vscode /tg/ c. 2019. So he will have to download VS code to "properly" compile it with the DM extension. My suggestions:
1) Lock it to a single thread/core and not let any processes use that (Linux only), the engine (BYOND) is also 32 bit and limited to 2-3GB ram, this isn't as a big of an issue if you've got bare metal hosting.
2) Don't host it on the Hub. If you got friends state invite/offhub. Hub invites insanity. Expect the most, trooncoded, faggoted gayops if you hub.
3) Defending against DDOS is hard without server side specific tools, if you ever get to that site.
4) If you outgrow your VPS, consider hosting a shitty box in a data center.
5) Expect your host device to get assraped by some troon autist with malware if it's constantly on public.
End user wise, it's not too complex if he's just hosting (Aside from some ultra odd proc/vv calls). It's just noodle-spagetti code (shitcode) everywhere. Thank god for AI.
In the earlier days of ss13 you'd get shit like whzwhz being a proc call (this one ain't broke, don't fix it), magic numbers in health calcs, N^2 issues with electrical grid/ recursive searching, global power grid updates (if you cut a wire, the entire wire map is rebuilt lmao), Goon process scheduler being uniquely shit, etc.
It's mostly patched out. Mostly. Don't code shit that results in memory leaks or recursive searches should keep 90% of your issues at bay. @Some Spaceman could probably tell you more pitfalls to avoid.
- Joined
- Apr 11, 2023
Can you elaborate? What can a client connecting to a server do?
- Joined
- Jan 8, 2025
It's not about the game server itself, there's little an ss13 server can do (assuming you're using a version with all known admin-elevation exploits fixed). Your concern would be with having a proper network set up.
To get into the nitty-gritty in regards to host security on BYOND, your main concern is the shell() function, which enables calls to the system's shell. If you run in Trusted mode, which is required to utilize DLLs that are common-place, shell() can be used. Now, servers like tgstation have this function behind lock and key, and I don't personally know of any exploits that would allow an admin to use the function via AdvancedProcCall or SDQL, but that doesn't mean they don't exist. Alot, and I mean alot, has to go wrong on the server's end to enable a random user to execute arbitrary shell commands. But its *theoretically* possible, if the codebase is old and lacking proper exploit patches.
- Joined
- Apr 11, 2023
So is the concern that there could be an unpublicized method for a client to do a shell injection attack on the server's OS?
Would this risk extend to the ability to do the same attack on other clients connected to the same server?
- Joined
- May 5, 2022
You don't even need the client lmao.
I preface by saying my interest in cybersec is just a hobby. My argument is from memory exploits which require a lot more work than retard flooding malformed packets DDOS.
1) From my recollection, BYOND traffic is unencrypted (no TLS iirc). This means any attacker could in theory record and fake credentials. Can be done on the same VPS with ARP if data center is cheapskate. CID grabbing (why hello, Rshoe), etc
2) No need to talk about DDOS since it already exposes server IP, there's tons of methods if you're dedicated.
3) 32 bit has weaker ASLR randomization. More advanced attack but possible, see below
4) On linux, 32bit API translation relies on compat syscall which has seen several CVEs
Because BYOND likely isn't PIE and is 32 bit, if you take the time to mess around with the codebase + fucking around on BYOND responses locally, you can find specific buffer overflow or use after free conditions, and gain access to the device. Basically, you craft a specific packet that is malformed that triggers a memory issue, and then use something like CVE-2024-1086 to gain root access.
Oh and here's the entropy levels and brute force time roughly.
32-bit ASLR entropy (6 min/attempt):
64-bit ASLR entropy (6 min/attempt):
32-bit at high memory pressure (2GB heap, ~5-6 bits):
AI generated but it should hold true approximately.
| Bits | Possibilities | Average | Worst case |
|---|---|---|---|
| 5 | 32 | 1.6 hrs | 3.2 hrs |
| 6 | 64 | 3.2 hrs | 6.4 hrs |
| 7 | 128 | 6.4 hrs | 12.8 hrs |
| 8 | 256 | 12.8 hrs | 25.6 hrs |
| 9 | 512 | 25.6 hrs | 51.2 hrs |
| 10 | 1,024 | 2.1 days | 4.3 days |
| 11 | 2,048 | 4.3 days | 8.5 days |
| 12 | 4,096 | 8.5 days | 17.1 days |
| 13 | 8,192 | 17.1 days | 34.1 days |
| 14 | 16,384 | 34.1 days | 68.3 days |
| 15 | 32,768 | 68.3 days | 136.5 days |
| 16 | 65,536 | 136.5 days | 273.1 days |
64-bit ASLR entropy (6 min/attempt):
| Bits | Possibilities | Average | Worst case |
|---|---|---|---|
| 23 | 8,388,608 | 95.7 years | 191.5 years |
| 25 | 33,554,432 | 383 years | 766 years |
| 28 | 268,435,456 | 3,063 years | 6,126 years |
| 30 | 1,073,741,824 | 12,251 years | 24,502 years |
| 33 | 8,589,934,592 | 98,005 years | 196,010 years |
32-bit at high memory pressure (2GB heap, ~5-6 bits):
| Scenario | Entropy | Average | Worst case |
|---|---|---|---|
| Max load (late round) | 5 bits | 1.6 hrs | 3.2 hrs |
| High load | 6 bits | 3.2 hrs | 6.4 hrs |
| Moderate load | 10 bits | 2.1 days | 4.3 days |
| Just restarted | 14 bits | 34.1 days | 68.3 days |
I think on Windows libraries (DLLs) persist on program restarts, so just use that, and assume they aren't running dream daemon as admin (lol), abuse the fuck out of the print spooler or other service to get root. Sorry I understand linux more than windows so not much help on this end.
Edit:
shell() command writes directly to the OS. You need not use shell() attacks if you can exhaust resources and force a use after free to compromise the host user. Though you can use shell(). You could also use system() in the c library.
If you compromise the OS and can issue commands, then it becomes possible to compromise other clients since you can view their IPs. And windows runs DM as admin iirc, so client compromise is basically guaranteed if they want to.
Last edited:
- Joined
- Jan 8, 2025
Clients cannot "speak" to other clients. The server can speak to clients, but it can only execute instructions that Dreamseeker understands. Currently, there are no known security issues with Dreamseeker. That said, the most damage you could do to a player via the server is sending a malicious script to an open browser to mine bitcoin or something. But because it's a (heavily locked down) browser window that closes when Dreamseeker closes, that's not exactly that harmful. You can only do as much damage as an annoying adfly page could.
Client's cannot execute code on Byond. Atleast, not normally. SS13 has alot of debug code written, most notably the "View Variables" window and the AdvancedProcCall admin tool. Because byond is dynamically typed and has insane things like call()(), these tools can exist. AdvancedProcCall allows a user with the proper permissions to arbitrarily call procs on objects. However, it has some hard-coded exceptions, like procs belonging to the world object, and these cannot be circumvented directly. However, if you're very, very clever, it is possible to get around it by doing a complicated series of SDQL commands that I won't get into because it doesn't matter. If you want to damage a server, its far easier to just DDoS it or catfish one of the pedo tranny jannies and steal their admin information. That said, that's loser behavior, its a videogame. I'm no griefer squad, I have a job and I'm too old for that shit.
They do not persist between program restarts, they are unloaded. I am not incredibly technically minded, but my understanding is that the library is loaded into RAM the first time a handle is requested, and it is unloaded when the host program terminates, as DLLs are effectively reference counted. The only way memory could persist is if the DLL saves data to disk, like any other program.
The runtime log doesn't include any pointers, it includes human-friendly function names that were compiled into the DMB via the DEBUG flag. That's not how they're actually compiled, as the DMB is effectively a bundle of byond op-codes that DreamDaemon interprets.
Last edited:
- Joined
- May 5, 2022
I stand corrected on both (Too lazy to boot up and force a runtime). I went and checked the 32bit compat registry edit and it is empty. BYOND is old and strange though, I assumed the chance of this was high, lots of weird as custom software pre Vista did that. Specifically, the CJK inputs (Tencent IME, Sogu IME) come to mind.
Don't forget tg server-tools had their own CVE at one point CVE-2024-41799 .
In theory, I guess you can craft a malformed file into an rsc or resource downloaded if you had access to the host server to force another overflow/use after free.In reality, I don't think troons or even autists have the patience for that, I guess maybe if Bashar Al Assad (pre-coup) was playing SS13 and some nation state actor wanted to spy on him, maybe.
Anyways, this just goes to show how older software was insanely insecure. Not that newer ones coded by jeets are better, but hey, at least in principle we know what to avoid.
- Joined
- Apr 11, 2023
I know you're specifically talking about windows, but don't most populated servers run on Linux and wouldn't doing a very basic setup of a Linux server involve disabling the root user and running tg server on a user without su privileges?
I guess since the discussion is about the perspective of somebody just running their own server for friends the assumption would be it's on a windows machine that you assume hasn't been secured and therefore you'd want it dehubbed just to avoid public access and people trying to fuck with it.
- Joined
- Jan 8, 2025
Any SS13 server that has consulted the big hosts has a secure setup. If there was a security exploit it would've already been used on them. Windows Server is a popular OS for the "mid-tier" servers that are usually just a guy and some friends, as it's far less of a pain in the ass for the average joe. It's not notably more or less secure, it's really just a difference in user-friendliness and some weird byond performance quirks. Linux has less overhead than Windows Server and the file IO speed is signficantly faster because Linux's file system isn't fucking awful.
- Joined
- May 5, 2022
Correct. I was considering from the perspective of "random dude and bros having fun" instead of "beg for monies because all spent on yiffsuit with knotdick".
Unless you're a retard who runs linux on everything like me. Fortunately they're all running Ubuntu so there's a bajillion gaping assholes out there. Bay runs ubuntu latest, tg runs 24.04 LTS.
Should've installgantoo and misconfigured instead. At least then you only have your self to blame!
- Joined
- Apr 11, 2023
Do you ever think there's excess protesting on the part of these hosts over engaging in shameful behavior between this and Duke?
"I don't want to stream in my fursuit but I lost all of my jobs and I owe 5,000 in electricity each month, so I have no choice"
"I don't want to host an ERP server but I'm being blackmailed into doing it by people threatening to host it themselves, so I have no choice"
- Joined
- Oct 30, 2024
MSO makes attention post on reddit calling coderbus trannyphobic, milk is implied.
As this post is deleted, we need a humble kiwifag to fetch the milk in coderbus because my discord account is jannified until next week.
As this post is deleted, we need a humble kiwifag to fetch the milk in coderbus because my discord account is jannified until next week.
- Joined
- Jan 8, 2025
I can't be bothered because its lame and unfunny but MSO has been sitting in coderbus for a few months randomly replying to years old discussions about him to go "*she" and generally just fish for attention. Also was present in byondcord doing the same thing, as well as telling people to take estrogen. Boring tranny shit.