I agree with Don if you already have your CISSP it is probably not worth your training budget to take GSEC training/cert. If I were you I would flip through the SANS training courses and find something either you are interested in or something your company would really need. SANS has some great courses!
"The programs in the following table have known compatibility problems with Windows Vista SP1. For reliability reasons, Microsoft blocks these programs from starting after you install Windows Vista SP1."
So Microsoft is basically saying, Sorry but these programs make our O/S look bad so you can't run them until the companies comply with our standards.
I think from a legal standpoint a lot would depend on how well the unknowing party has separated their data from their significant others data. For example they both may own the computer but use separate user accounts that maybe password protected. I think that weighs in heavily when considering whether accessing data is legal or not.
If you find a Linux User Group in your area they usually give distros away like candy at a parade. Knoppix is popular so you could probably get one that way if you were willing to do a little digging. It is usually a great place to get good technical information about Linux.
I certainly think it is ethical to accept payment, prizes, or an all expensive trip to Disney World (WOOT!) for discovering a new vulnerability. Having said that I also believe that if you plan to "sell" the vulnerability you have an ethical obligation to attempt to discover the intentions of the purchaser before committing to the sale. For example if I were going to sell a vulnerability I would require a written statement from the purchaser stating what they intended to do with the vulnerability. Obviously if their written intentions were illegal/unethical I would cancel the sale right then and there. If later the company double crossed me and decided to do something unethical with the vulnerability I sold them then I would release the vulnerability information to the software manufacturer and other security research companies. That way hopefully the vulnerability could be patched as soon as possible.
As long as a vulnerability researcher is conscientious about who they release vulnerabilities to I don't see any reason why they shouldn't be paid for their work.