> and one where the password lockout system meant that you could DDoS all admin access trivially

What happened there?