OK, so am I right that this guy had a completely unsecured metrics endpoint running on his server? Why would you do that in the first place?